* [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
@ 2017-09-16 14:06 Stroller
2017-09-16 19:31 ` Alan McKinnon
0 siblings, 1 reply; 4+ messages in thread
From: Stroller @ 2017-09-16 14:06 UTC (permalink / raw
To: gentoo-user
Is anyone familiar enough with this subject to make a comparison between these two programs, please?
If I google Fail2Ban vs SSHGuard I get many hits saying "I use this one", but no-one saying why one might be better than the other.
So far I'm favouring SSHGuard, but mostly because the website looks prettier.
I want to be able to use passwords, so allowing logons only by public-key is no good (also would be nice to block failed IMAP connection attempts).
Thanks in advance for any thoughts.
Stroller.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
2017-09-16 14:06 [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference? Stroller
@ 2017-09-16 19:31 ` Alan McKinnon
2017-09-16 21:25 ` Stroller
0 siblings, 1 reply; 4+ messages in thread
From: Alan McKinnon @ 2017-09-16 19:31 UTC (permalink / raw
To: gentoo-user
On 16/09/2017 16:06, Stroller wrote:
> Is anyone familiar enough with this subject to make a comparison between these two programs, please?
>
> If I google Fail2Ban vs SSHGuard I get many hits saying "I use this one", but no-one saying why one might be better than the other.
>
> So far I'm favouring SSHGuard, but mostly because the website looks prettier.
>
> I want to be able to use passwords, so allowing logons only by public-key is no good (also would be nice to block failed IMAP connection attempts).
>
> Thanks in advance for any thoughts.
>
> Stroller.
>
Depends what you want, they both achieve the same end. fail2ban reads
all manner of log files and such, decides based on rules if someone is
being naughty, and then takes actually (most often listing the source
address in a packet filter drop rule).
As far as I'm aware (and could be wrong), sshguard is mostly just sshd
whereas fail2ban works on anything you can give it consistent logs for.
There's not much to choose between them really.
So go for the one that seems to fit your needs best, if you scan the man
pages and sample rules files and one jumps out as a clear winner than
you understand easily, then that is the one you use.
The question is almost never "does this things do what I want?" as the
answer is so often yes. The question is always "d I understand this
thing as can drive it easily?"
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
2017-09-16 19:31 ` Alan McKinnon
@ 2017-09-16 21:25 ` Stroller
2017-09-16 21:27 ` Alan McKinnon
0 siblings, 1 reply; 4+ messages in thread
From: Stroller @ 2017-09-16 21:25 UTC (permalink / raw
To: gentoo-user
> On 16 Sep 2017, at 20:31, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>
> As far as I'm aware (and could be wrong), sshguard is mostly just sshd
> whereas fail2ban works on anything you can give it consistent logs for.
I thought otherwise, but you appear to be right - SSHGuard appears to have only a handful of "signatures", so it looks like Fail2Ban it is.
https://www.sshguard.net/docs/reference/attack-signatures/
Stroller.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference?
2017-09-16 21:25 ` Stroller
@ 2017-09-16 21:27 ` Alan McKinnon
0 siblings, 0 replies; 4+ messages in thread
From: Alan McKinnon @ 2017-09-16 21:27 UTC (permalink / raw
To: gentoo-user
On 16/09/2017 23:25, Stroller wrote:
>
>> On 16 Sep 2017, at 20:31, Alan McKinnon <alan.mckinnon@gmail.com> wrote:
>>
>> As far as I'm aware (and could be wrong), sshguard is mostly just sshd
>> whereas fail2ban works on anything you can give it consistent logs for.
>
> I thought otherwise, but you appear to be right - SSHGuard appears to have only a handful of "signatures", so it looks like Fail2Ban it is.
>
> https://www.sshguard.net/docs/reference/attack-signatures/
I reckon too, you did say folding in IMAP would also be cool.
As a sidenote, I've just finished rolling out fail2ban here at work.
It's a mobile provider and ISP with millions and millions of hones out
there, and the owners has some very odd ideas on how mail works.
Especially just how much mail coming from their individual phones I'm
willing to relay (answer: not very much at all :-) )
Anyway, fail2ban went on the mail relays with strict rules as to number
of connections etc etc. The amount of tweaking I had to make was minimal
- just change some numbers. All the rules I needed were already there
baked in, I just had to enable them and set the numbers. It even knew
these are FreeBSD relays so the packet filter is pf.
It's such a pleasure to use a product built with real engineering in
mind and does it right. fail2ban ticks that box for me.
--
Alan McKinnon
alan.mckinnon@gmail.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-09-16 21:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-09-16 14:06 [gentoo-user] Fail2Ban vs SSHGuard? Comparison? What's the difference? Stroller
2017-09-16 19:31 ` Alan McKinnon
2017-09-16 21:25 ` Stroller
2017-09-16 21:27 ` Alan McKinnon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox